Introduction

NetScreen is well known for its firewall and virtual private network (VPN) technologies primarily due to the Application-Specific Integrated Circuit (ASIC)-based design of most of their core features, including address translation. This chapter focuses on how the address translation features of NetScreen products have evolved from a simple physical interface translation (Screen OS 2.5 and below) to a solution capable of handling complex address translation design requirements.

Throughout this chapter are several NetScreen scenarios with different example configurations. The assumption for all of the examples within this chapter assumes the following:

• Security Zones: Ethernet3 (Untrust) and Ethernet1 (Trust)

Both security zones are within the Trust virtual router (Trust-VR). The example configurations highlight the key areas that relate to that specific scenario.

Purpose of Address Translation

Network address translation (NAT) is the ability to masquerade one Internet Protocol (IP) address from another. This functionality is completely transparent to the users. For example, Figure 8.1 shows a host on network 10.1.1. x/24 traversing through a NAT device. The NAT device then translates the source packet coming from host 10.1.1.100 and going to address 172.16.1.1, which then communicates with host 172.16.1.50. This method is called source NAT.

Figure 8.1: All Egress Traffic from 10.1.1. x Network will NAT from Source 172.16.1.1